ArchLinux: 202101-3: poppler: arbitrary code execution
Summary
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document.
Resolution
Upgrade to 21.01.0-1.
# pacman -Syu "poppler>=21.01.0-1"
The problem has been fixed upstream in version 21.01.0.
References
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1011 https://gitlab.freedesktop.org/poppler/poppler/uploads/8455cee26a313a3a0174a01e4ec80e33/poc https://gitlab.freedesktop.org/poppler/poppler/-/commit/ae614bf8ab42c9d0c7ac57ecdfdcbcfc4ff6c639 https://security.archlinux.org/CVE-2020-35702
Workaround
None.